php + sql search
Mark Fowler
mark at twoshortplanks.com
Thu Oct 31 16:08:56 GMT 2002
On Thu, 31 Oct 2002, Robin Garbutt wrote:
> $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
A side issue...Not that I really use PHP (tending to use a lot of Perl to
do that kind of thing) but don't you have to do something to protect $name
at this point instead of just string interpolating, in case someone puts in
a "'" inside of it (in which case they can break your code/cause serious
mischief.)
Mark.
(who really should learn more PHP)
--
s'' Mark Fowler London.pm Bath.pm
http://www.twoshortplanks.com/ mark at twoshortplanks.com
';use Term'Cap;$t=Tgetent Term'Cap{};print$t->Tputs(cl);for$w(split/ +/
){for(0..30){$|=print$t->Tgoto(cm,$_,$y)." $w";select$k,$k,$k,.03}$y+=2}
More information about the Ukfreebsd
mailing list